PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 3,79 MB
SHA-256 Hash: 24AC3588FB8CFBFF63B7FDFCBC7DEC1F3C60E54E6F949DD69D68E89E0C89D966
SHA-1 Hash: F8058E687F75A13A7874B569BF885F9097629271
MD5 Hash: 1B6D9C7CB4AD65DA282FC48A9A30F97E
Imphash: D42595B695FC008EF2C56AABD8EFD68E
MajorOSVersion: 6
MinorOSVersion: 1
CheckSum: 00000000
EntryPoint (rva): 78A00
SizeOfHeaders: 600
SizeOfImage: 41A000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 411000
IAT: 2960C0
Characteristics: 22
TimeDateStamp: 0
Date: 01/01/1970
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .xdata, .idata, .reloc, .symtab
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 600 10F600 1000 10F511
6.2569
8912731.77
.rdata
0x40000040
Initialized Data
Readable
 10FC00 184600 111000 184498
5.6852
32364510.83
.data
0xC0000040
Initialized Data
Readable
Writeable
 294200 128400 296000 171EE8
7.0606
9716416
.pdata
0x40000040
Initialized Data
Readable
 3BC600 7400 408000 726C
5.0305
1104936.72
.xdata
0x40000040
Initialized Data
Readable
 3C3A00 200 410000 B4
1.7832
75780
.idata
0xC0000040
Initialized Data
Readable
Writeable
 3C3C00 600 411000 53E
3.9943
71130.67
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 3C4200 6600 412000 6524
5.4125
149141.29
.symtab
0x42000000
GP-Relative
Readable
 3CA800 200 419000 4
0.0204
130049
Description
OriginalFilename: psexec.c
CompanyName: Sysinternals - www.sysinternals.com
LegalCopyright: CompanyName
ProductName: Sysinternals PsExec
FileVersion: 2.43
ProductVersion: 2.43
Binder/Joiner/Crypter
3 Executable files found
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 78000
Code -> E9DBC6FFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC554889E59CFC4881ECE000000048893C2448
Assembler
|JMP 0XFFFFFFFFFFFFD6E0
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|INT3
|PUSH RBP
|MOV RBP, RSP
|PUSHFQ
|CLD
|SUB RSP, 0XE0
|MOV QWORD PTR [RSP], RDI
Signatures
Certificate - Digital Signature:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
Entropy: 6.5733
Suspicious Functions
Library Function Description
Ws2_32.DLL connect | Possible Call API By Name Establish a connection to a specified socket.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
ADVAPI32.DLL CryptEncrypt Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
Windows REG
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows REG (UNICODE)
Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels
Software\Sysinternals\%s
Software\Microsoft\windows nt\currentversion
Software\Sysinternals
File Access
\long name app.exe
//live.sysinternals.com/PsExec.exe
\Temp\psexec.exe
kernel32.dll
SHELL32.dll
ADVAPI32.dll
USER32.dll
USERENV.dll
COMDLG32.dll
MPR.dll
WS2_32.dll
NETAPI32.dll
VERSION.dll
GDI32.dll
USER32.dll
seconds/godebug/non-default-behavior/bcryptprimitives.dll
\users\ultrafastsuperfastntdll.dll
\TempONSTARTfdPHostSSDPSRVmpr.dll
.dll
deploy_gpo.ps1
\windowsconfig.msi
]nQHHCJS1K.Jar
*nQHHCJS1K.Jar
//www.sys
//live.sys
.dat
@.dat
wDzQY5ia.DmSDUQu.Dat
internal/abi.Name.Dat
\windowsconfig.msintuser.dat
time.Dat
uv8QDuyk1ba.LoG
AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt
gw2iaaT.ini
baWdg25QH.ini
Q1Ut7QC.ini
PFpFql.ini
SFNNo7iM.ini
od19honn0.ini
C_BE0xkjiNN.ini
GCEKlJW.ini
math/big.ini
zOI3Gi.ini
aDPBmle.ini
rX5BMkY.ini
X5Zm4BH9m0.ini
dap7csu.ini
HJAcTRt.ini
mLScYHf.ini
L1R2MeJRCNv.ini
amIXtVZo4m7.ini
eDVysaa.ini
UPNoJjyS.ini
urW4mC.ini
D57q2ze1jmU6.ini
i5n1x0a.ini
aJRBM2.ini
sc60C4a4.ini
fJkdxu7y0ajh.ini
iL1yXrV.ini
qbBvL3BTZl.ini
a423GhEXy6.ini
reflect.ini
hdTJTWDLsR.ini
math.ini
_KklYyaipXg.ini
p3m07UITvB.ini
wDzQY5ia.ini
wDzQY5ia.map.ini
f5V5aBSq.ini
j3twaOjxdpa.ini
JayLd8wiRa1d.ini
sync.ini
s6Dx4x0l.ini
internal/bytealg.ini
internal/cpu.Ini
internal/abi.ini
\\$Domain\SYSVOL\$Domain\Policies\{$guid}\GPT.INI
\windowsconfig.msintuser.datntuser.ini
\intelnetlogonmsocacheSystem32perflogsboot.ini
drivers/etc/hosts
Temp
SysDir
AppData
UserProfile
Exec - vssadmin wevtutilsecurity-commandbad argspassworddisabledno-admin--system--sharesschtasks--silentgupdatesgupdateufdrespubupnphostfirewallwindowsg</exec></task>gostringfullpathscavengepolldescsynctesttracebuf
File Access (UNICODE)
You bear the risk of using it.Sys
ril.Sys
ntdll.dll
NtSetInformationProcessNtdll.dll
ConvertStringSidToSidWAdvapi32.dll
NetIsServiceAccountnetapi32.dll
psexesvc.exe
Modifier requires an integer presentation type for bool.exe
InitializeCriticalSectionExmscoree.dll
Wtsapi32.dll
Wow64DisableWow64FsRedirectionKernel32.dll
(null)mscoree.dll
KERNEL32.DLL
Kernel32.dll
netmsg.dll
CommandLineToArgvWShell32.dll
Riched32.dll
bcryptprimitives.dll
powrprof.dll
winmm.dll
Sysinternals - www.sys
Interest's Words
shadowcopy
wbadmin
vssadmin
JFIF
outlook
zombie
taskkill
Encrypt
Decrypt
Encryption
PassWord
exec
powershell
schtasks
netsh
taskkill
attrib
start
pause
cipher
gpupdate
wmic
shutdown
wevtutil
cacls
icacls
systeminfo
schtask
ping
vssadmin
bootsect
dism
expand
replace
route
wbadmin
Interest's Words (UNICODE)
PassWord
exec
start
shutdown
ping
URLs
http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/
http://www.microsoft.com/exporting
http://www.microsoft.com/exporting}}}}\f0\fs19
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt
http://www.microsoft.com/pkiops/docs/primarycps.htm
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt
http://www.microsoft.com/pkiops/Docs/Repository.htm
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
https://go.dev/issue/66821):
https://live.sysinternals.com/PsExec.exe
https://tox.chat/download.html
https://getsession.org
https://www.torproject.org/download/
https://x.com/TheGentlemen26
https://www.sysinternals.com
IP Addresses
127.0.0.1
PE Carving
Start Offset Header End Offset Size (Bytes)
0 2FAE00 2FAE00
2FAE00 374E80 7A080
374E80 3CAA00 55B80
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (WSACleanup)
Text Ascii WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (listen)
Text Ascii WinAPI Sockets (accept)
Text Unicode WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Unicode WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Ascii WinAPI Sockets (send)
Text Unicode WinAPI Sockets (send)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Text Unicode Service (OpenSCManager)
Text Ascii Service (CreateService)
Text Unicode Service (CreateService)
Text Ascii Service (StartServiceCtrlDispatcher)
Text Unicode Service (StartServiceCtrlDispatcher)
Text Ascii Encryption API (CryptAcquireContext)
Text Ascii Encryption API (CryptGenKey)
Text Ascii Encryption API (CryptDeriveKey)
Text Ascii Encryption API (CryptDecrypt)
Text Ascii Encryption API (CryptReleaseContext)
Hex Hex Pattern PEB AntiDebug (Flag BeingDebugged)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (UnmapViewOfFile)
Text Ascii Stealth (MapViewOfFile)
Text Ascii Stealth (CreateFileMappingW)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (ReadProcessMemory)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (OpenEventW)
Text Ascii Execution (CreateEventA)
Text Ascii Execution (CreateEventW)
Text Ascii Antivirus Software (sophos)
Text Ascii Antivirus Software (Symantec)
Text Unicode Privileges (SeChangeNotifyPrivilege)
Text Unicode Privileges (SeIncreaseWorkingSetPrivilege)
Text Unicode Privileges (SeShutdownPrivilege)
Text Unicode Privileges (SeTcbPrivilege)
Text Unicode Privileges (SeTimeZonePrivilege)
Text Unicode Privileges (SeUndockPrivilege)
Text Ascii Software that secretly monitors and collects user information (Spyware)
Text Ascii Movement from one compromised system to another within a network (Lateral)
Text Ascii Malware that monitors and collects user data (Spy)
Text Ascii Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text Unicode Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text Ascii Technique used to circumvent security measures (Bypass)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Intelligent String
• .bss
• Kernel32.dll
• ntdll.dll
• Advapi32.dll
• The software is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the software.These laws include restrictions on destinations, end users and end use.For additional information, see www.microsoft.com / exporting .
• \caps\fs20 6.\tab\fs19 Export Restrictions\caps0 .\b0The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see {\cf1\ul{\field{\*\fldinst{HYPERLINK www.microsoft.com/exporting }}{\fldrslt{www.microsoft.com/exporting}}}}\cf1\ul\f0\fs19 <{{\field{\*\fldinst{HYPERLINK "http://www.microsoft.com/exporting"}}{\fldrslt{http://www.microsoft.com/exporting}}}}\f0\fs19 >\cf0\ulnone .\b\par
• L:\/finobj()
• goal , cons/mark maxTrigger= pages/byte
• deploy_gpo.ps1is a directoryComputerNameEx
• C:\Temp\psexec.exe<CalendarTrigger>
• exit hook invoked panicpattern bits too long: P256 point not on curveC:\ProgramData\Microsoftc:\program files\windowsReportingServicesServicerd /s /q C:\$Recycle.Bin<Principal id="Author">
• exec: Stdout already setexec: Stderr already settracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCcheckfinalizers: queue: update during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlaps [recovered, repanicked]stack trace unavailable
• c:\program files\windowsapps\[+] Lateral movement finished[+] Found %d hosts in domain
• ping 127.0.0.1 -n 3 > nul
• exec: Cmd started a Process but leaked without a call to Wait is in a tiny block with other (possibly long-lived) values
• " -BackgroundColor Blue -ForegroundColor WhiteGet-NetFirewallRule -DisplayGroup "Network Discovery" | Enable-NetFirewallRule$xmlContent = $xmlContent -replace 'STARTBOUNDARY_PLACEHOLDER',$StartBoundary
• <Properties action="C" name="TASKNAME_PLACEHOLDER" runAs="NT AUTHORITY\System" logonType="S4U">
• Invoke-Command -ComputerName $comp -ScriptBlock { gpupdate /force } -ErrorAction SilentlyContinue
• try { Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -ErrorAction Stop } catch {}; try { DISM.exe /Online /Add-Capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 } catch {}; try { Install-WindowsFeature RSAT-AD-PowerShell -ErrorAction Stop } catch {}Write-Host "[+] Installing required modules..."
• 4: --password QWERTY --path "C:\,D:\,\\nas\share" --T 15 --silent
• Brute-force, RAM dumps, third-party recovery tools are useless.
• Download Tox messenger: https://tox.chat/download.html
• Download Session https://getsession.org
• Check our blog: http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/
• Follow us on X: https://x.com/TheGentlemen26
• winmm.dll
• powrprof.dll
• bcryptprimitives.dll
• Riched32.dll
• Shell32.dll
• netmsg.dll
• Modifier requires an integer presentation type for bool.exe
• \\{}\admin$\PSEXEC-{}-{:08X}.key
• Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd]][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-g n][-a n,n,...][-verbose] cmd [arguments]
• -u Specifies optional user name for login to remote
• c:\long name app.exe".
• GDI32.dll
• KERNEL32.DLL
• mscoree.dll
• D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb
• NETAPI32.dll
• WS2_32.dll
• KERNEL32.dll
• ADVAPI32.dll
• Sysinternals - www.sysinternals.com
• .exe
• %%systemroot%%\PSEXEC-%s-%08X.key
• \\.\pipe\%s-%s-%d-stdin
• \\.\pipe\%s-%s-%d-stdout
• \\.\pipe\%s-%s-%d-stderr
• \\.\pipe\%s
• Wtsapi32.dll
• D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb
• psexesvc.exe
• kernel32.dll
Flow Anomalies
Offset RVA Section Description
E1D5 N/A .text JMP QWORD PTR [RIP+0xE8840F]
BFFE4 N/A .text JMP QWORD PTR [RIP+0x8F280000]
C956B N/A .text JMP QWORD PTR [RIP+0xFFF826E9]
136067 N/A .rdata CALL QWORD PTR [RIP+0xFF000001]
1496B0 N/A .rdata CALL QWORD PTR [RIP+0x14011]
14A438 N/A .rdata JMP QWORD PTR [RIP+0xFFFF0000]
14B278 N/A .rdata JMP QWORD PTR [RIP+0xFFFF0000]
165821 N/A .rdata CALL QWORD PTR [RIP+0x10]
165827 N/A .rdata CALL QWORD PTR [RIP+0x0]
1B1D1F N/A .rdata JMP QWORD PTR [RIP+0xFF000004]
1B33F3 N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1B3F03 N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1B776B N/A .rdata JMP QWORD PTR [RIP+0x350000DE]
1B7903 N/A .rdata JMP QWORD PTR [RIP+0xFF000045]
1B792F N/A .rdata CALL QWORD PTR [RIP+0x240000DD]
1B8367 N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1B91CB N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1B96BB N/A .rdata JMP QWORD PTR [RIP+0x30000051]
1BB9CB N/A .rdata JMP QWORD PTR [RIP+0x2F000068]
1BC4FF N/A .rdata JMP QWORD PTR [RIP+0xD0000085]
1BCD8B N/A .rdata JMP QWORD PTR [RIP+0x34000087]
1BD5C7 N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1BF21B N/A .rdata CALL QWORD PTR [RIP+0x2300009E]
1C197F N/A .rdata JMP QWORD PTR [RIP+0x9D0000CC]
1C24A7 N/A .rdata JMP QWORD PTR [RIP+0xFF000087]
1C5C77 N/A .rdata JMP QWORD PTR [RIP+0xFF00013E]
1C5E8F N/A .rdata CALL QWORD PTR [RIP+0x2200013B]
1C7123 N/A .rdata CALL QWORD PTR [RIP+0xCA000152]
1C823B N/A .rdata CALL QWORD PTR [RIP+0xCA000152]
1C84AF N/A .rdata CALL QWORD PTR [RIP+0xCA000152]
1C8D9B N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1C8FA7 N/A .rdata CALL QWORD PTR [RIP+0x162]
1C9AB7 N/A .rdata JMP QWORD PTR [RIP+0x34000018]
1FE859 N/A .rdata CALL QWORD PTR [RIP+0x1016840F]
25B29F N/A .rdata CALL QWORD PTR [RIP+0x1F000011]
2619AF N/A .rdata CALL QWORD PTR [RIP+0xE1000011]
2621B7 N/A .rdata CALL QWORD PTR [RIP+0x1F000011]
263E77 N/A .rdata CALL QWORD PTR [RIP+0x32000011]
26BE67 N/A .rdata CALL QWORD PTR [RIP+0xFC000011]
27794F N/A .rdata CALL QWORD PTR [RIP+0x0]
27C22B N/A .rdata JMP QWORD PTR [RIP+0x87000000]
27DDFF N/A .rdata CALL QWORD PTR [RIP+0xAB000004]
28113F N/A .rdata CALL QWORD PTR [RIP+0x1F000004]
283BEF N/A .rdata CALL QWORD PTR [RIP+0xAB000004]
283D97 N/A .rdata CALL QWORD PTR [RIP+0xA2000011]
289847 N/A .rdata CALL QWORD PTR [RIP+0xD5000036]
297D5C N/A .data CALL QWORD PTR [RIP+0xFB246050]
29855E N/A .data CALL QWORD PTR [RIP+0xFB241998]
29895D N/A .data CALL QWORD PTR [RIP+0xFB241950]
2A7AF0 N/A .data CALL QWORD PTR [RIP+0xC6E6BF5D]
2B1265 N/A .data JMP QWORD PTR [RIP+0x880A54C9]
2B13C0 N/A .data JMP QWORD PTR [RIP+0x48DE7415]
2FB804 N/A .data CALL QWORD PTR [RIP+0x4411A4]
2FB812 N/A .data CALL QWORD PTR [RIP+0x4411A8]
2FB8B1 N/A .data CALL QWORD PTR [RIP+0x4411A4]
2FBAF9 N/A .data CALL QWORD PTR [RIP+0x44119C]
2FBB27 N/A .data CALL QWORD PTR [RIP+0x441198]
2FBB43 N/A .data CALL QWORD PTR [RIP+0x4411A0]
2FBBF4 N/A .data CALL QWORD PTR [RIP+0x47AD74]
2FBC00 N/A .data CALL QWORD PTR [RIP+0x47AD78]
2FBC45 N/A .data CALL QWORD PTR [RIP+0x47AD74]
2FBC5C N/A .data CALL QWORD PTR [RIP+0x47AD80]
2FBC6A N/A .data CALL QWORD PTR [RIP+0x47AD80]
2FBD54 N/A .data CALL QWORD PTR [RIP+0x47AD68]
2FBE55 N/A .data CALL QWORD PTR [RIP+0x4410A8]
2FBE7B N/A .data CALL QWORD PTR [RIP+0x4410A4]
2FBE86 N/A .data CALL QWORD PTR [RIP+0x4410B4]
2FBF52 N/A .data CALL QWORD PTR [RIP+0x441194]
2FBF59 N/A .data CALL QWORD PTR [RIP+0x44118C]
2FBFC3 N/A .data CALL QWORD PTR [RIP+0x441188]
2FBFDA N/A .data CALL QWORD PTR [RIP+0x4410BC]
2FBFFC N/A .data CALL QWORD PTR [RIP+0x47AD6C]
2FC003 N/A .data CALL QWORD PTR [RIP+0x47AD7C]
2FC056 N/A .data CALL QWORD PTR [RIP+0x47AD58]
2FC0A6 N/A .data CALL QWORD PTR [RIP+0x47AD88]
2FC0D8 N/A .data CALL QWORD PTR [RIP+0x47AD54]
2FC0F6 N/A .data CALL QWORD PTR [RIP+0x47AD50]
2FC10F N/A .data CALL QWORD PTR [RIP+0x47AD4C]
2FC12D N/A .data CALL QWORD PTR [RIP+0x47AD50]
2FC146 N/A .data CALL QWORD PTR [RIP+0x47AD4C]
2FC160 N/A .data CALL QWORD PTR [RIP+0x47AD60]
2FC169 N/A .data CALL QWORD PTR [RIP+0x47AD7C]
2FC257 N/A .data CALL QWORD PTR [RIP+0x441184]
2FC26C N/A .data CALL QWORD PTR [RIP+0x441190]
2FC401 N/A .data CALL QWORD PTR [RIP+0x4410A4]
2FC4FE N/A .data CALL QWORD PTR [RIP+0x4410A4]
2FC532 N/A .data CALL QWORD PTR [RIP+0x441194]
2FC539 N/A .data CALL QWORD PTR [RIP+0x44118C]
2FC54F N/A .data CALL QWORD PTR [RIP+0x441180]
2FC719 N/A .data CALL QWORD PTR [RIP+0x47AD84]
2FC723 N/A .data CALL QWORD PTR [RIP+0x441178]
2FC743 N/A .data CALL QWORD PTR [RIP+0x4410B0]
2FC762 N/A .data CALL QWORD PTR [RIP+0x4410A0]
2FC935 N/A .data CALL QWORD PTR [RIP+0x44118C]
2FC9A6 N/A .data CALL QWORD PTR [RIP+0x441174]
2FCAEE N/A .data CALL QWORD PTR [RIP+0x441174]
2FCE60 N/A .data CALL QWORD PTR [RIP+0x441070]
2FCEAE N/A .data CALL QWORD PTR [RIP+0x441070]
2FCF5B N/A .data CALL QWORD PTR [RIP+0x47ADD8]
2FCF89 N/A .data CALL QWORD PTR [RIP+0x441184]
79A22-79B20 N/A .text Potential obfuscated jump sequence detected, count: 51
601-61F N/A .text Unusual BP Cave, count: 31
23A2-23BF N/A .text Unusual BP Cave, count: 30
2D21-2D3F N/A .text Unusual BP Cave, count: 31
2D61-2D7F N/A .text Unusual BP Cave, count: 31
FEE2-FEFF N/A .text Unusual BP Cave, count: 30
11662-1167F N/A .text Unusual BP Cave, count: 30
146A2-146BF N/A .text Unusual BP Cave, count: 30
14DE1-14DFF N/A .text Unusual BP Cave, count: 31
158E1-158FF N/A .text Unusual BP Cave, count: 31
159C1-159DF N/A .text Unusual BP Cave, count: 31
168E2-168FF N/A .text Unusual BP Cave, count: 30
19101-1911F N/A .text Unusual BP Cave, count: 31
19442-1945F N/A .text Unusual BP Cave, count: 30
1D282-1D29F N/A .text Unusual BP Cave, count: 30
1D862-1D87F N/A .text Unusual BP Cave, count: 30
1E9E2-1E9FF N/A .text Unusual BP Cave, count: 30
21C02-21C1F N/A .text Unusual BP Cave, count: 30
239E2-239FF N/A .text Unusual BP Cave, count: 30
26502-2651F N/A .text Unusual BP Cave, count: 30
35262-3527F N/A .text Unusual BP Cave, count: 30
36161-3617F N/A .text Unusual BP Cave, count: 31
39A01-39A1F N/A .text Unusual BP Cave, count: 31
39A81-39A9F N/A .text Unusual BP Cave, count: 31
39B01-39B1F N/A .text Unusual BP Cave, count: 31
39B81-39B9F N/A .text Unusual BP Cave, count: 31
39C01-39C1F N/A .text Unusual BP Cave, count: 31
39C81-39C9F N/A .text Unusual BP Cave, count: 31
39D01-39D1F N/A .text Unusual BP Cave, count: 31
39D81-39D9F N/A .text Unusual BP Cave, count: 31
3D5A2-3D5BF N/A .text Unusual BP Cave, count: 30
3F7A2-3F7BF N/A .text Unusual BP Cave, count: 30
400C1-400DF N/A .text Unusual BP Cave, count: 31
40101-4011F N/A .text Unusual BP Cave, count: 31
49642-4965F N/A .text Unusual BP Cave, count: 30
4F322-4F33F N/A .text Unusual BP Cave, count: 30
539E1-539FF N/A .text Unusual BP Cave, count: 31
54061-5407F N/A .text Unusual BP Cave, count: 31
58A41-58A5F N/A .text Unusual BP Cave, count: 31
5A3E2-5A3FF N/A .text Unusual BP Cave, count: 30
5ABA2-5ABBF N/A .text Unusual BP Cave, count: 30
5DEE2-5DEFF N/A .text Unusual BP Cave, count: 30
5E702-5E71F N/A .text Unusual BP Cave, count: 30
64761-6477F N/A .text Unusual BP Cave, count: 31
64AE2-64AFF N/A .text Unusual BP Cave, count: 30
66702-6671F N/A .text Unusual BP Cave, count: 30
67EA2-67EBF N/A .text Unusual BP Cave, count: 30
6CF41-6CF5F N/A .text Unusual BP Cave, count: 31
6DB82-6DB9F N/A .text Unusual BP Cave, count: 30
6E662-6E67F N/A .text Unusual BP Cave, count: 30
6F082-6F09F N/A .text Unusual BP Cave, count: 30
71EC1-71EDF N/A .text Unusual BP Cave, count: 31
739E1-739FF N/A .text Unusual BP Cave, count: 31
748A1-748BF N/A .text Unusual BP Cave, count: 31
74AC2-74ADF N/A .text Unusual BP Cave, count: 30
76581-7659F N/A .text Unusual BP Cave, count: 31
767E2-767FF N/A .text Unusual BP Cave, count: 30
77421-7743F N/A .text Unusual BP Cave, count: 31
7B1C2-7B1DF N/A .text Unusual BP Cave, count: 30
7B242-7B25F N/A .text Unusual BP Cave, count: 30
7BBA1-7BBBF N/A .text Unusual BP Cave, count: 31
7CAA2-7CABF N/A .text Unusual BP Cave, count: 30
80181-8019F N/A .text Unusual BP Cave, count: 31
82881-8289F N/A .text Unusual BP Cave, count: 31
837E2-837FF N/A .text Unusual BP Cave, count: 30
88FA2-88FBF N/A .text Unusual BP Cave, count: 30
8F162-8F17F N/A .text Unusual BP Cave, count: 30
8F282-8F29F N/A .text Unusual BP Cave, count: 30
A9362-A937F N/A .text Unusual BP Cave, count: 30
B4981-B499F N/A .text Unusual BP Cave, count: 31
B95E2-B95FF N/A .text Unusual BP Cave, count: 30
BD7E1-BD7FF N/A .text Unusual BP Cave, count: 31
CD5E2-CD5FF N/A .text Unusual BP Cave, count: 30
D6882-D689F N/A .text Unusual BP Cave, count: 30
D9E22-D9E3F N/A .text Unusual BP Cave, count: 30
E1622-E163F N/A .text Unusual BP Cave, count: 30
EE3A1-EE3BF N/A .text Unusual BP Cave, count: 31
EE4A1-EE4BF N/A .text Unusual BP Cave, count: 31
F5C81-F5C9F N/A .text Unusual BP Cave, count: 31
F7682-F769F N/A .text Unusual BP Cave, count: 30
102CA2-102CBF N/A .text Unusual BP Cave, count: 30
109402-10941F N/A .text Unusual BP Cave, count: 30
10FAC2-10FB10 N/A .text Unusual BP Cave, count: 79
377011-37702F N/A .data Unusual BP Cave, count: 31
37A262-37A27F N/A .data Unusual BP Cave, count: 30
Extra Analysis
Metric Value Percentage
Ascii Code 2246902 56,5162%
Null Byte Code 781032 19,6452%
NOP Cave Found 0x9090909090 Block Count: 13 | Total: 0,0008%
© 2026 All rights reserved.